Cloud computing is the use of computing resources, including hardware and software, that are delivered as a service over a network, typically the Internet. As cloud computing achieves increased popularity and adoption of cloud-based services by businesses increases, concerns over security and risks of using these cloud-based services become significant. Traditionally, systems and software applications were deployed in enterprise environments, such as within an enterprise's own private data network, with strict controls and policies to ensure that data and usage are compliant with the enterprise's standards. However, the adoption of cloud-based services offered by third parties creates a potential mismatch, or complete absence, of expected enterprise level controls. Enterprises are faced with the challenge of accessing risk exposure associated with the use of cloud-based services in order to apply compensating controls.
The primary methods for cloud services risk assessment today is labor intensive based on questionnaire of compliance checklists that each cloud service provider will have to fill out. This manual assessment method has a couple of problems. First, the service provider has to cooperate which is not always possible. Second, this method needs third party validation (typically undertaken by auditors). Finally, the manual assessment method is expensive both in cost and time. There are some standards organizations such as CSA that has a service registry, but they have not identified properties associated with the cloud service via crowd-sourcing, web crawling, experience in using the cloud service, etc. and typically rely on the more traditional questionnaire approach.